Started using Sandboxie - any advice?

What I've done is forced all my web-browsers into the defaultbox. µtorrent is not in there cause I trust my common sense and manual scanning for things that seem fishy. Is there anything else like DropMyRights-clone settings that should be applied? What should I simply do except forcing my web-browsers and what other apps. should/could be forced without issues?

Thanks

 

Drop Rights always helps unless your testing installations. Also enable Experimental Protection if you're on a 64-bit system. There are Internet Access and Start/Run Restrictions as well.

 

What complications could there be with Drop Rights for me as a gamer and generally a user who likes avoiding too many steps? Are there any good examples of very useful restrictions in those mentioned areas?

 

create as many sandboxes you need.
example:

Browser Sandbox:
forced Internet Explorer to run in this sandbox
restrict: only allow iexplore.exe to run/ and access internet.
drop rights.


Download directory Sandbox:
forced download directory in this sandbox. (example: C:\Users\your username\Downloads)
restrict: no internet access
drop rights


Gaming sandbox:
just install your games here

Testing box
drop rights and test your softwares here

 

Get Xmarks to keep your passwords/user names from getting deleted on exit.

 

I thought xmark is for bookmarks and lastpass for passwords.. maybe i am missing something here

 

Xmarks can do passwords and user names and other things.

 

No complications on virtually all browsers and games, unless you're installing them. Internet Access Restrictions prevent malicious programs from phoning home. Start/Run prevents them from executing.

 

One step you could also take is to close access to any folders where you may have information you consider private.

Example. Imagine you don't want the browser's sandbox to access your Documents folder. You just block access to the Documents folder.

 

Force anything that connects to the internet, also your mail Mail client, PDF
reader, video players, etc and force them into their own sandbox.
You should create a sandbox for each forced program, that way you can set
each sandbox differently. Different settings, for different programs. You ought
to force each browser into its own sandbox instead of how you have it now.

Bo

 

... since they have their own set of data, got it.

I wanna thank all of you for the advice, this is one of the things I love learning.



A question: When I add My Documents for blocking from my browsers (each separated now), it tells me I should add Windows Filesharing. How do I do that or does it do it for me?

 

Just apply, Sandboxie will add it automatically.

Bo

 

Do not stop!

PS. Sorry, could not resist

 

Regarding DropRights -
When enabled, a process started within the sandbox is treated as a USER. This means the process would have no rights to areas such as windows and program files, exactly the same as the real OS. The obvious example is that executing a setup.exe would fail to install anything if it was destined for program files. It keeps the sandbox "environment" free from any problems usually, because malicous programs cannot install in restricted areas.

DropRights will not prevent things from being installed to user allowed areas, such as MyDocs etc. Keyloggers and company that install to user areas can then run in the sandbox "environment", at least until you delete the contents of the sandbox.

When DropRights is disabled, you are free to execute anything with no restrictions. If a trojan is installed in the sandbox, it is allowed. It will remain until you delete the sandbox contents. The trojan however would be contained to the sandbox, so it would only effect you when you ran something within that sandbox.

Regarding separate sandboxes-
Some like it, some don't. There are some distinct advantages, of which BoElam has pointed out likely the best reason - customize each sandbox for your own purposes rather than make everything fit into one. This can be a little confusing at first and take more time, but the end result is IMO much better. You don't have to do this, you can get along fine with only one sandbox, however, you lose some fine control.

For example, if you use browser A to surf generically, you might think to put it in a generic sandbox. If you use browser B to go to accounts or more sensitive surfing only, you might want to delete its contents every time you use it, thus making sure it always starts in a clean "environment". If you lump browser A and browser B into the same sandbox, you have to make a choise to either NOT delete the sandbox to keep browser A in a more convenient state so it remembers data across using, or you keep browser B happy by deleting the sandbox contents, but then have to live with that decision for browser A.

More granular control will be achieved by making browser A NOT delete every time it is used, and by ALLOWING a different sandbox for browser B to be deleted every time.

Regarding restrictions -
It can be prudent to configure a sandbox to disallow ANY reading of certain things, not only directories that have your sensitive data, but also registry keys. You can block programs within the sandbox from not only reading but also writing. I always have my sandboxes disallow modifications of any autorun locations. In this manner, if the sandbox does get a trojan or something of that nature, it may have installed, but if it tries to set an autorun value, it is denied.

Suppose you have a sandbox for browser A. You might consider restricting network access to only browser A. This way, even if a program starts, it has no network access at all, unless it is browser A. Stops keyloggers from phoning home as an example.

You might consider only allowing browser A to execute. In this way, ONLY browser A will be allowed to start within the sandbox. No other program may run.

You might consider that you use browser A and PDF-Reader-Z, and both of these programs will be the ONLY thing allowed to run, the ONLY thing allowed to have network access, within this specific sandbox.

Regarding direct access and other such settings -
These settings give sandboxie (or anything running in the sandbox) direct access to a directory or files. This can be both good and bad. On the good side, if you always download everything to one place, you can give all your sandboxes direct access to that area, so that when you download something within the sandbox, and save it to this special location, there is no need to recover items from the sandbox to the real location, because you gave direct access. The item(s) were saved there and need no recovery.

The bad side of this is if you allow a directory that might be used against your or contain sensitive infos. Think of direct access carefully before implementing.

HTH>

Sul.

 

As part of the customisation when using multiple sandboxes, it's not a bad idea to make sure that each sandbox is easily identifiable, perhaps using a different coloured border for each one as a visual reminder. That way, the risk of entering sensitive data by accident into a sandbox intended for general use is minimised.

I realise that you would do this kind of thing automatically, but I just thought I'd mention it for the benefit of any less experienced users who may be reading this thread.

Excellent post by the way!

 

Love you Sully <3

 

Thank you for this excellent tip

 

You're welcome.

Regards

 

Interesting idea Sully, could you share how you set this up?
thanks

 

Here is a perfect example. In your sandbox, under ResourceAccess>RegistryAccess, you can choose to allow direct access or block access or allow read-only access. One thing you can do is to set your autorun registry keys to read-only or block. Here is one common registry autorun key that you might want to restrict

Code:

ReadKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

Under ResourceAcces>FileAccess you could set some key files or directories to read-only or block them. As an example, one would have had this in the list as Read-only

Code:

c:\io.sys
c:\autoexec.bat

Many already use other forms of restrictions such as what processes are allowed to run, what processes are allowed network access.

I can't tell you much on how to set up restrictions other than common items such as those I've just mentioned. Apart from those, you need to decide what you want off-limits. Usually it is either directories that house your personal data, or you want to block access to certain files for some reason. Just one of the reasons I really like using SBIE, because I am free to get as lean or heavy as I want to with it, but no matter how heavy I get with it, it never bogs it down with too many rules etc.

Sul.

 

The main and most important things to setup are...:

- Force IE/Firefox/Chrome etc into SandboxIE.
- Make sure to delete Sandbox at end of sessions.
- Limit The Internet access.
- Drop User rights

Right Click tray icon, click "Show Window", then click "Sandbox" > "Default Box" > "Sandbox Settings"...

In settings window, on left side click on "Delete", then "Invocation" and on the right side check "Automatically delete contents of Sandbox" ... Preferably add a secure deletion program to it as well, ie, eraser.

Now move on left side to "Program Start", then "Forced Programs", on the right, either add by Name or Filename and add your browser, Email Client etc.

Next move on left side to "Program Stop", then "Leader Programs", on the right either add by name or filename and add your your browser, Email Client etc.

Then move on the left side to "File Migration" and on the right change the size to any relevant sized apps you might be running, mines configured for 512000 (500MB).

Then move to "Restrictions" on the left, then "Internet Access" and add only those applications you want to allow internet access.

Then while still in "Restrictions" click on "Drop Rights", on the right hand side check "Drop rights from Administrators and Power Users groups".

Now, click on "Resource Access" > "File Access" > "Full Access" and on the right add your "Downloads" directory, or any other routine "Save to" directory. This is useful as it becomes annoying to constantly recover files.

While under "File Access", click on "Read-Only Access", on the right add the Windows, Programdata and Program file directories as read only.

On the left click on "Applications" > "Web Browser" > (whatever browser you are using) and on the right enable as many Direct Access things you may need. Then click on "Email Reader" and do the same thing on the right. Then do same thing with "PDF Reader" etc until all your applications have been covered.

 

You don't need to give Full Access. Direct Access is more than enough.

 

Nice post, but you should really do the decent thing and quote the original poster to give them some credit:
http://forums.whirlpool.net.au/archive/1475164

 

I was wondering how someone like him could post something like that.